Let DNS and NTP die too... they're insecure and often used in DDoS attacks. Also my mail was opened and money stolen, let's stop using postal services.
Avoiding SQL / XSS are usually lesson 6 in any "Learn x in 24 hours" book.
I guess I fail to see the point of this article. "SQL" is such a broad term. It's a query language. It's like saying "stop using HTML". What products are bad? What languages?
The failure here isn't SQL or not using an ORM / prepared statements. The failure is the process.
Clearly a lack of effective code planning, code review, CI/CD pipeline testing, OWASP testing, input validation, decent WAF rules...
The failure is the shared responsibility of the BA/PM who spec'd the product, the dev who made the commits, the senior who reviewed or merged the code, the QA, whoever built the CD pipeline, the person who promoted deploys to production, the ops who run the infrastructure platform, the security guy... basically everyone should feel the pain.
Security really is everyone's concern. There should be a security specific inception or retro on every sprint that looks at the full stack.
Application code, do we need better testing at build time? Will a WAF like ModSecurity / nginx reverse proxy allow our app to function fully while evading common issues? Can we use OSSEC IDS or ELK to identify and respond to misbehaving clients from access logs? Can we block IP addresses and ranges that we know will not need to use our app (blocklist.de) 100%. Any of the above alone would have reduced the risk of hacker success to almost 0.
Securing any internet faving app is the same. Secure code, secure config, blocklist, IDS / IPS and Log Visualisation. You'll evade 99.9% of attacks. Automated or human.
Let DNS and NTP die too... they're insecure and often used in DDoS attacks. Also my mail was opened and money stolen, let's stop using postal services.
Avoiding SQL / XSS are usually lesson 6 in any "Learn x in 24 hours" book.
I guess I fail to see the point of this article. "SQL" is such a broad term. It's a query language. It's like saying "stop using HTML". What products are bad? What languages?
The failure here isn't SQL or not using an ORM / prepared statements. The failure is the process.
Clearly a lack of effective code planning, code review, CI/CD pipeline testing, OWASP testing, input validation, decent WAF rules...
The failure is the shared responsibility of the BA/PM who spec'd the product, the dev who made the commits, the senior who reviewed or merged the code, the QA, whoever built the CD pipeline, the person who promoted deploys to production, the ops who run the infrastructure platform, the security guy... basically everyone should feel the pain.
Security really is everyone's concern. There should be a security specific inception or retro on every sprint that looks at the full stack.
Application code, do we need better testing at build time? Will a WAF like ModSecurity / nginx reverse proxy allow our app to function fully while evading common issues? Can we use OSSEC IDS or ELK to identify and respond to misbehaving clients from access logs? Can we block IP addresses and ranges that we know will not need to use our app (blocklist.de) 100%. Any of the above alone would have reduced the risk of hacker success to almost 0.
Securing any internet faving app is the same. Secure code, secure config, blocklist, IDS / IPS and Log Visualisation. You'll evade 99.9% of attacks. Automated or human.
If I've got you thinking, check out:
blocklist.de
ossec.github.io
waf.comodo.com
elastic.co